Revision as of 18:50, 2 April 2011

Setting Up a Koji Build System

The Koji components may live on separate resources as long as all resources are able to communicate. This document will cover how to setup each service individually, however, all services may live on the same resource.

PreReqs of Knowledge

Basic knowledge about creating a database in PostgreSQL and importing a schema

Working with psql

Basic knowledge about Apache configuration

Basic knowledge about yum/createrepo/mock - else you'll not be able to debug problems!

Basic knowledge about using command line

Basic knowledge about RPM building

Simple usage of the Koji client

For an overview of yum, mock, Koji (and all its subcomponents), mash, and how they all work together, see the excellent slides put together by Steve Traylen at CERN [1].

PreReqs of Packages

On the server (koji-hub/koji-web)

httpd

mod_ssl

postgresql-server

mod_python (>= 3.3.1 for Kerberos authentication)

On the builder (koji-builder)

mock

setarch (for some archs you'll require a patched version)

rpm-build

createrepo

A note on filesystem space

Koji will consume copious amounts of disk space under the primary KojiDir directory (as set in the kojihub.conf file). However, as koji makes use of mock on the backend to actually create build roots and perform the builds in those build roots, it might come to a surprise to users that a running koji server will consume large amounts of disk space under /var/lib/mock as well. Users should either plan the disk and filesystem allocations for this, or plan to modify the default mock build directory in the kojid.conf file.

Koji Authentication Selection

Koji primarily supports Kerberos and SSL Certificate authentication. For basic koji command line access, plain user/pass combinations are possible. However, kojiweb does not support plain user/pass authentication and once either Kerberos or SSL Certificate authentication is enabled for kojiweb, the plain user/pass method will stop working entirely. For this reason we encourage skipping the plain user/pass method altogether and properly configuring either Kerberos or SSL Certification authentication from the start.

The decision on how to authenticate users will affect all other actions you take in setting up koji. For this reason it is a decision best made up front.

For Kerberos authentication, a working Kerberos environment (the user is assumed to either already have this or know how to set it up themselves, instructions for it are not included here) and the Kerberos credentials of the initial admin user will be necessary to bootstrap the user database.

For SSL authentication, SSL certificates for the xmlrpc server, for the various koji components, and one for the admin user will need to be setup (the user need not know how to create certificate chains already, we include the instructions for this below).

Setting up SSL Certificates for authentication

Certificate generation

Create the /etc/pki/koji directory and copy-and-paste the ssl.cnf listed here, and save it in the new directory. This configuration file is used along with the openssl command to generate the SSL certificates for the various koji components.

Although it is not required, it is recommended that you edit the default values in the [req_distinguished_name] section of the configuration to match the information for your own server. This will allow you to accept most of the default values when generating certificates later. The other sections can be left unedited.

Generate CA

The CA is the Certificate Authority. It's the key/cert pair used to sign all the other certificate requests. When configuring the various koji components, both the client CA and the server CA will be a copy of the CA generated here. The CA certificate will be placed in the /etc/pki/koji directory and the certificates for the other components will be placed in the /etc/pki/koji/certs directory. The index.txt file which is created is a database of the certificates generated and can be used to view the information for any of the certificates simply by viewing the contents of index.txt.

The last command above will ask you to confirm a number of items about the certificate you are generating. Presumably you already edited the defaults for the country, state/province, locale, and organization in the ssl.cnf file and you only needed to hit enter. It's the organizational unit and the common name that we will be changing in the various certs we create. For the CA itself, these fields don't have a hard requirement. One suggestion for this certificate is to use the FQDN of the server.

Generate the koji component certificates and the admin certificate

Each koji component needs its own certificate to identify it. Two of the certificates (kojihub and kojiweb) are used as server side certificates that authenticate the server to the client. For this reason, you want the common name on both of those certs to be the fully qualified domain name of the web server they are running on so that clients don't complain about the common name and the server not being the same. You can set the OU for these two certificates to be kojihub and kojiweb for identification purposes.

For the other certificates (kojira, kojid, the initial admin account, and all user certificates), the cert is used to authenticate the client to the server. The common name for these certs should be set to the login name for that specific component. For example the common name for the kojira cert should be set to kojira so that it matches the username. The reason for this is that the common name of the cert will be matched to the corresponding user name in the koji database. If there is not a username in the database which matches the CN of the cert the client will not be authenticated and access will be denied.

When you later use koji add-host to add a build machine into the koji database, it creates a user account for that host even though the user account doesn't appear in the user list. The user account created must match the common name of the certificate which that component uses to authenticate with the server. When creating the kojiweb certificate, you'll want to remember exactly what values you enter for each field as you'll have to regurgitate those into the /etc/koji-hub/hub.conf file as the ProxyDNs entry.

When you need to create multiple certificates it may be convenient to create a loop like the on listed below or to even place the code into a script and run the script in a loop. You can simply adjust the number of kojibuilders and the name of the admin account as you see fit. For much of this guide, the admin account is called "kojiadmin".

When generating certs for a user, the user will need the ${user}.pem, the ${caname}_ca_cert.crt, and the ${user}_browser_cert.p12 files which were generated above. The ${user}.pem file would normally be installed as ~/.fedora.cert, the ${caname}_ca_cert.crt file would be installed as both ~/.fedora-upload-ca.cert and ~/.fedora-server-ca.cert, and the user would import the ${user}_brower_cert.p12 into their web browser as a personal certificate.

Copy certificates into ~/.koji for kojiadmin

You're going to want to be able to send admin commands to the kojihub. In order to do so, you'll need to use the newly created certificates to authenticate with the hub. Copy the certificates for the koji CA and the kojiadmin user to ~/.koji:

Note: See /etc/koji.conf for the current system wide koji client configuration. Copy /etc/koji.conf to ~/.koji/config if you wish to change the config on a per user basis.

Setting up Kerberos for authentication

The initial configuration of a kerberos service is outside the scope of this document, however there are a few specific things required by koji.

DNS

The koji builders (kojid) use DNS to find the kerberos servers for any given realm.

_kerberos._udp IN SRV 10 100 88 kerberos.EXAMPLE.COM.

The trailing dot denotes DNS root and is needed if FQDN is used.

Principals and Keytabs

It should be noted that in general you will need to use the fully qualified domain name of the hosts when generating the keytabs for services.

You will need the following principals extracted to a keytab for a fully kerborised configuration, the requirement for a host key for the koji-hub is currently hard coded into the koji client.

host/kojihub@EXAMPLE.COM

Used by the koji-hub server when communicating with the koji client

HTTP/kojiweb@EXAMPLE.COM

Used by the koji-web server when performing a negotiated Kerberos authentication with a web browser. This is a service principal for Apache's mod_auth_kerb.

koji/kojiweb@EXAMPLE.COM

Used by the koji-web server during communications with the koji-hub. This is a user principal that will authenticate koji-web to Kerberos as "koji/kojiweb@EXAMPLE.COM". Koji-web will proxy the mod_auth_kerb user information to koji-hub (the ProxyPrincipals koji-hub config option).

koji/kojira@EXAMPLE.COM

Used by the kojira server during communications with the koji-hub

compile/builder1@EXAMPLE.COM

Used on builder1 to communicate with the koji-hub

PostgreSQL Server

Once the authentication scheme has been setup your will need to install and configure a PostgreSQL server and prime the database which will be used to hold the koji users.

Configuration Files:

/var/lib/pgsql/data/pg_hba.conf

/var/lib/pgsql/data/postgresql.conf

Install PostgreSQL:

root@localhost$ yum install postgresql-server

Initialize PostgreSQL DB:

The following commands will initialize PostgreSQL and will start the database service

NOTE: When issuing the command to import the psql schema into the new database it is important to ensure that the directory path /usr/share/doc/koji*/docs/schema.sql remains intact and is not resolved to a specific version of koji. In test it was discovered that when the path is resolved to a specific version of koji then not all of the tables were created correctly

Authorize Koji-web and Koji-hub resources:In this example, Koji-web and Koji-hub are running on localhost.

/var/lib/pgsql/data/pg_hba.conf:
These settings need to be valid and inline with other services configurations.Please note, the first matching auth line is used so this line must be above any other potential matches.Add:

host koji koji 127.0.0.1/32 trust
host koji koji ::1/128 trust

You can also use UNIX socket access. The DBHost variable must be unset to use this method.Add:

Bootstrapping the initial koji admin user into the PostgreSQL database:

The initial admin user must be manually added to the user database using sql commands. Once they are added and given admin privilege, they may add additional users and change privileges of those users via the koji command line tool's administrative commands. However, if you choose to use the simple user/pass method of authentication, then any password setting/changing must be done manually via sql commands as there is no password manipulation support exposed through the koji tools.

Note: If you do not know the ID of the admin user, you can get the ID by running the query:

koji=> select * from users;

You can't actually log in and perform any actions until kojihub is up and running in your web server. In order to get to that point you still need to complete the authentication setup and the kojihub configuration. If you wish to access koji via a web browser, you will also need to get kojiweb up and running.

Koji Hub

Koji-hub is the center of all Koji operations. It is an XML-RPC server running under mod_python in Apache. koji-hub is passive in that it only receives XML-RPC calls and relies upon the build daemons and other components to initiate communication. Koji-hub is the only component that has direct access to the database and is one of the two components that have write access to the file system.

Configuration Files:

/etc/httpd/conf/httpd.conf

/etc/httpd/conf.d/kojihub.conf

/etc/httpd/conf.d/ssl.conf (when using ssl auth)

/etc/koji-hub/hub.conf

Install koji-hub:

root@localhost$ yum install koji-hub httpd mod_ssl mod_python

Required Configuration

/etc/httpd/conf/httpd.conf:

The apache web server has two places that it sets maximum requests a server will handle before the server restarts. The xmlrpc interface in kojihub is a python application, and mod_python can sometimes grow outrageously large when it doesn't reap memory often enough. As a result, it is strongly recommended that you set both instances of MaxRequestsPerChild in httpd.conf to something reasonable in order to prevent the server from becoming overloaded and crashing (at 100 the httpd processes will grow to about 75MB resident set size before respawning).

This file contains the configuration information for the hub. You will need to edit this configuration to point Koji Hub to the database you are using and to setup Koji Hub to utilize the authentication scheme you selected in the beginning.

/etc/koji-hub/hub.conf:
If using SSL auth, these settings need to be valid and inline with other services configurations for kojiweb to allow logins.
ProxyDNs should be set to the DN of the kojiweb certificate.

SELinux Configuration

If running in Enforcing mode, you will need to allow apache to connect to the postgreSQL server.

root@localhost$ setsebool -P httpd_can_network_connect_db 1

Koji filesystem skeleton

Above in the kojihub.conf file we set KojiDir to /mnt/koji. For certain reasons, if you change this, you should make a symlink from /mnt/koji to the new location (note: this is a bug and should be fixed eventually). However, before other parts of koji will operate properly, we need to create a skeleton filesystem structure for koji as well as make the file area owned by apache so that the xmlrpc interface can write to it as needed.

At this point, you can now restart the web server and you should have at least minimal operation. The admin user should be able to connect via the command line client, add new users, etc. It's possible at this time to undertake initial administrative steps such as adding users and hosts to the koji database. For example, the kojira component needs repo privileges, but if you just let the account get auto created the first time you run kojira, it won't have that privilege, so you could pre-create the account and grant it the repo privilege now.

Ensure that your client is configured to work with your server. The system-wide koji client configuration file is /etc/koji.conf, and the user-specific one is in ~/.koji/config. You may also use the "-c" option when using the Koji client to specify an alternative configuration file. If you are using SSL for authentication, specify authtype = ssl under [koji] in your Koji client configuration.

Koji Web - Interface for the Masses

Koji-web is a set of scripts that run in mod_python and use the Cheetah templating engine to provide an web interface to Koji. koji-web exposes a lot of information and also provides a means for certain operations, such as cancelling builds.

RHEL 5's mod_python publisher does not support non-basic auth, so Kerberos authentication does not currently work in EPEL 5's Koji-web. See BZ #682319.

/etc/httpd/conf.d/kojiweb.conf:
If using SSL auth, these settings need to be valid and inline with other services configurations.

<Location /koji/login>
SSLOptions +StdEnvVars
</Location>

/etc/httpd/conf.d/ssl.conf:
Add the needed SSL options for apache.

SSLVerifyClient require
SSLVerifyDepth 10

If you are using SSL authentication, the "PythonOption WebCert" file above must contain both the public and private key.

Web interface now operational

At this point you should be able to point your web browser at the kojiweb URL and be presented with the koji interface. Many operations should work in read only mode at this point, and any configured users should be able to log in.

Koji Daemon - Builder

Kojid is the build daemon that runs on each of the build machines. Its primary responsibility is polling for incoming build requests and handling them accordingly. Koji also has support for tasks other than building such as creating livecd images or raw disk images, and kojid is responsible for handling these tasks as well. kojid uses mock for creating pristine build environments and creates a fresh one for every build, ensuring that artifacts of build processes cannot contaminate each other. kojid is written in Python and communicates with koji-hub via XML-RPC.

Configuration Files:

/etc/kojid/kojid.conf - Koji Daemon Configuration

/etc/sysconfig/kojid - Koji Daemon Switches

Install kojid:

root@localhost$ yum install koji-builder

Required Configuration

/etc/kojid/kojid.conf:
This needs to point at your koji-hub.

; The URL for the xmlrpc server
server=http://hub.example.com/kojihub
; the username has to be the same as what you used with add-host
; in this example follow as below
user = kojibuilder1.example.com

This item may be changed, but may not be the same as KojiDir on the kojihub.conf file (although it can be something under KojiDir, just not the same as KojiDir)

; The directory root for temporary storage
workdir=/tmp/koji

Optional Configuration (SSL certificates)

/etc/kojid/kojid.conf:
If using SSL, these settings need to be valid.

;client certificate
; This should reference the builder certificate we created above, for
; kojibuilder1.example.com
cert = /etc/kojid/kojid.pem
;certificate of the CA that issued the client certificate
ca = /etc/kojid/koji_ca_cert.crt
;certificate of the CA that issued the HTTP server certificate
serverca = /etc/kojid/koji_ca_cert.crt

Optional Configuration (Kerberos Authentication)

/etc/kojid/kojid.conf:
If using Kerberos, these settings need to be valid and inline with other services configurations.

; the username has to be the same as what you used with add-host
;user =
host_principal_format=compile/%s@EXAMPLE.COM

By default it will look for the Kerberos keytab in /etc/kojid/kojid.keytab

Note: Kojid will not attempt kerberos authentication to the koji-hub unless the username field is commented out

Add the host entry for the koji builder to the database

Make sure you do this before you start kojid for the first time,
or you'll need to manually remove entries from the sessions and users
table before it can be run successfully.

Add the host to the createrepo channel

Channels are a way to control which builders process which tasks. By default
hosts are added to the default channel. At least some build hosts also needs to be added
to the createrepo channel so there will be someone to process repo creation tasks initiated by kojira.

A note on capacity

The default capacity of a host added to the host database is 2. This means that once the load average on that machine exceeds 2, kojid will not accept any additional tasks. This is separate from the maxjobs item in the configuration file. Before kojid will accept a job, it must pass both the test to ensure the load average is below capacity and that the current number of jobs it is already processing is less than maxjobs. However, in today's modern age of quad core and higher CPUs, a load average of 2 is generally insufficient to fully utilize hardware. As there is not an option to set the capacity of the host via the command line tools, it must be done manually in psql.

Start Kojid

Check /var/log/kojid.log to verify that kojid has started successfully.

Kojira - Yum repository creation and maintenance

Configuration Files:

/etc/kojira/kojira.conf - Kojira Daemon Configuration

/etc/sysconfig/kojira - Kojira Daemon Switches

Install kojira

root@localhost$ yum install koji-utils

Required Configuration

/etc/kojira/kojira.conf:
This needs to point at your koji-hub.

; The URL for the xmlrpc server
server=http://hub.example.com/kojihub

Additional Notes:

Kojira needs read-write access to /mnt/koji.

There should only be one instance of kojira running at any given time.

It is not recommended that kojira run on the builders, as builders only should require read-only access to /mnt/koji.

Optional Configuration

/etc/kojira/kojira.conf:
If using SSL, these settings need to be valid.

;client certificate
; This should reference the kojira certificate we created above
cert = /etc/pki/koji/kojira.pem
;certificate of the CA that issued the client certificate
ca = /etc/pki/koji/koji_ca_cert.crt
;certificate of the CA that issued the HTTP server certificate
serverca = /etc/pki/koji/koji_ca_cert.crt

If using Kerberos, these settings need to be valid.

; For Kerberos authentication
; the principal to connect with
principal=koji/kojira@EXAMPLE.COM
; The location of the keytab for the principal above
keytab=/etc/kojira.keytab

/etc/sysconfig/kojira:
The local user kojira runs as needs to be able to read and write to /mnt/koji/repos/.
If the volume that directory resides on is root-squashed or otherwise unmodifiable
by root, you can set RUNAS= to a user that has the required privileges.

Add the user entry for the kojira user

If you did not already do so above, create the kojira user, and grant it the repo permission.